The effect of SOX on IT is a loaded question, but everyone would agree its impact on Information Security is significant. In the latest ISACA Journal, Janine Spears penned “How Has Sarbanes-Oxley Compliance Affected Information Security?“. After performing interviewing and data collection, the author drew these conclusions.
- Greater Business Collaboration in and Awareness of Managing Security Risks
- Greater Maturity of Security Risk Management Processes
- More Effective Application of Access Control
- Compliance Treated as an Opportunity for Greater Investments in Information Security
- Building Security Program around Compliance Requirements
- Information Security Improved
While I don’t necessarily disagree with the findings, I do think the sample size was too small and likely skewed.
This article details the results of a university study5 that was conducted to examine the activities, roles, policies and procedures that companies adopted for Sarbanes-Oxley compliance, and what impact, if any, there was on information security. Twenty people were interviewed across 10 organizations: 16 participated in Sarbanes-Oxley compliance for their companies, while four were security experts from the consulting and applied research industries. Subsequently, a survey study was conducted to validate the findings of the qualitative study, resulting in 263 usable responses. Both studies consistently led to the following six conclusions.
Regardless, SOX has given some power and visibility (if not affection) to IT information security. There’s nothing like the threat of sending the CEO to jail that gets his/her attention and support!